How to prevent a WordPress website from being hacked and what to do if it is hacked

WordPress is a great Content Management System but you need to take steps to defend your website against hackers and know what to do if it is.

Protect your website from the threat of hacking

What is a website hack?

A website hack is an unauthorized breach or access to a website, resulting in the attacker being able to perform actions or obtain sensitive information from the website. The impact of website hacks can range from simple annoyances to serious consequences, including loss of sensitive information, disruption of services, and damage to website reputation. It is thus important for website owners to take steps to secure their websites, such as using secure programming practices and keeping software up to date to reduce the risk of hacks

From the moment a new website is live, it could take less than a minute before hackers are trying to break in

WordPress is a great Content Management System with a rich ecosystem of plugins, themes and extensions that makes managing your website a breeze. But you need to be aware that you need to take steps to defend your website against hackers.

Our experience shows that from the moment a new website is live on the internet, it could take less than a minute before hackers are trying to break in. They run hacking bots that never rest, constantly probing websites across the internet for a large and ever-increasing catalog of vulnerabilities. The good news is that you can take sensible steps to defend against this onslaught, and even if a hacker still gets in, you can recover from the breach.

The most common ways hackers & bots break into WordPress Websites are:

  • Known vulnerabilities in WordPress itself
    These happen infrequently, but are always added to the hacker's arsenal of attacks.
  • Insecure themes
    Third-party themes are a common point of attack if they are not written to security best-practice principles.
  • Vulnerable plugins
    The most common method of attack. Some plugins become abandoned by their developers, others aren't patched quickly enough.
  • Weak passwords
    We see this way too often - choosing an easy to remember password based on dictionary words will eventually lead to tears.

How to prevent your WordPress website from being hacked

Preventing a WordPress website requires a comprehensive approach that combines both technical and administrative measures. Here are some steps you can take to secure your WordPress website:

  • Stay up-to-date
    This is the most important action you can take to avoid your site getting hacked. Log in regularly to your website and apply any updates to WordPress core, themes and plugins whenever they become available. Don’t leave it to your imperfect memory, set yourself a calendar reminder to do this once every week or two.
  • Use SSL Certificates
    An SSL (Secure Sockets Layer) certificate helps prevent hackers by encrypting data sent between a website and its users. This encryption ensures that sensitive information, such as login credentials and credit card numbers, is protected from misuse by unauthorized parties, including hackers.
  • Install a security plugin
    Install a security plugin like Wordfence, Sucuri or iThemes Security. These plugins scan your WordPress core, known plugins and themes against a database of reference code, alerting you to any differences between the reference code and the code on your site. They also provide other features like malware scanning, automatic firewalling and preventing attacks from known malicious IP addresses.
  • Limit login attempts
    Most security plugins have a feature to limit the number of login attempts a user can make, which help prevent brute force attacks.
  • Two-factor authentication (2FA)
    Two-factor authentication (2FA) adds an extra layer of security by requiring users to provide a second form of authentication, such as a one-time code generated by a separate device, in addition to their password. This makes it much harder for a hacker to access your website, even if they have your password.
  • Disable debug logging
    Whether debug logging is enabled or not is dependent on how PHP is configured on your server, but it can also be controlled by WordPress’ debugging constants. Add the following to your wp-config.php to disable debug logging.define( 'WP_DEBUG_DISPLAY', false );
    define( 'WP_DEBUG_LOG', false );
  • Use strong passwords
    Use a combination of letters, numbers, and special characters in your passwords, and make sure that they are at least 8 characters long.
  • Use a password manager
    Use a password manager like LastPass or 1Password. Using a password manager is not just for WordPress, it will change your life! You’ll only ever need to remember one password, the password for your Password Vault. All your other passwords will be secure and virtually un-crackable. Like this 8!9Gbqe3QC^jmnEm3RC.
  • Take regular backups
    It’s always a good idea to keep backups. And even in spite of your best efforts, it’s possible that a vulnerability could be discovered and used against your website before a security update is available. All of Serversaurus’ shared hosting accounts are backed up every 4 hours using JetBackup and around 3 weeks of backups are retained. There is a simple and quick interface to restore your hosting account within minutes from a prior backup. We also recommend keeping your own backups, just to complete your peace-of-mind. WordPress can automatically email you a copy of your database periodically using the WordPress Database Backup plugin.
  • Remove any plugins or themes you don’t use
    Even though you’re not using unused themes or plugins, they are still installed in your website, potentially consuming resources, and may contain vulnerabilities that can be exploited even though they're listed as inactive in your Dashboard.
  • Give preference to well-known themes and plugins
    If they suit your needs completely give preference to well-known themes and plugins. Nevert download plugins or themes from other sources than the WordPress plugin/theme directory.
  • Ensure you follow all these suggestions
    For example, a strong password does not protect you from vulnerabilities and a fully updated WordPress with a strong password but without backups still leaves you vulnerable.

What steps to take if your WordPress website is hacked

If your WordPress website is hacked, take these steps as quickly as possible to minimise the damage and prevent further attacks:

  • Isolate the infected website
    Disconnect your website from the Internet and remove any backups or files stored on your computer to prevent the attacker from accessing them.
  • Change all passwords
    Change passwords for all accounts connected to your website, including your WordPress admin account, hosting account, and FTP account. Use strong, unique passwords and consider using a password manager to store them securely.
  • Scan your website for malware
    Use a security plugin or online malware scanner to detect and remove any malware or malicious code on your website.
  • Restore a clean backup
    If you have a recent, clean backup of your website, restore it to remove malware and undo any changes made by the attacker.
  • Update all software
    Update your WordPress software, themes, and plugins to the latest versions to ensure any vulnerabilities are patched.
  • Review your security measures
    Once your website is secure, review your security measures to identify areas that need improvement. Consider using a security plugin, implementing two-factor authentication, and following best practices for password protection.
  • Notify your hosting provider
    If your hosting provider is aware of the hack, they may be able to help you secure and restore your website.

Last updated November 30, 2023